Creating and managing custom GIM certificates
You can replace the default Guardium®, privately signed, certificates with trusted CA certificates, without interrupting the GIM server to GIM client communication.
Before you begin
- All GIM clients must be
running v11.0 or higher. CAUTION:Failure to upgrade the clients before you start this procedure complicates the certificate distribution process and can require substantial efforts to recover the GIM clients running earlier versions.
- Make sure that a GIM client is registered to the Guardium appliance.
- In adherence to the mutual Transport Layer Security (mTLS)
mandate for Guardium Installation Manager (GIM) client-server communication,
custom certificates must comply with the following best practices:
- To ensure streamlined verification processes, certificates must not contain Subject Alternative Name (SAN) entries.
- If Extended Key Usage (EKU) is used within the certificates, it is essential that they possess both serverAuth and clientAuth properties. This ensures comprehensive authentication capabilities for both server and client endpoints.
About this task
The GIM server-GIM client communication is secured by an encrypted channel and authentication. When you install GIM, it uses default Guardium certificates that are privately signed. Best practice is to install your own certificates from a trusted CA. In both cases, certificates are stored on the GIM server, and distributed to the GIM clients.
When you enable this feature, each GIM client downloads its new certificate, but continues to communicate with the GIM server by using its current certificate. After the new certificates are downloaded to all of the GIM clients, you then install a new certificate on the GIM server, and each GIM client starts by using the new certificate. The clients and their server do not lose any communication.
You can activate GIM listeners after the GIM certificates on the appliance has been changed. See What to do next.
You can observe progress in the GIM Distributed Certificates report, and view GIM events in the GIM Events List report.
The pre-V11.0 method of deploying certificates is fully compatibility with this new method. If you want to deploy certificates by using your own applications, you can configure GIM to use these certificates by using the common GIM update parameters mechanism.
For authentication to succeed, all certificates must be signed by the same CA certificates (root, and intermediate if applicable), whether they are trusted or private.
Certificates expire at some point. Use the command show certificate warn_expired to view all expired certificates or certificates that expire within the next six months. When your certificates expire, perform this procedure again with the new certificates.